Embed Size (px)
Citation preview
1
SAML,Liberty Alliance,openLiberty,and ConcordiaEve MalerSun Microsystems, Inc.www.xmlgrrl.com/blog
1
2
Federated identity means distributing identity tasks and information across domains
Identityprovider(login site)
Relying party(web applicationor community)
User
Browser(or other interface)
Great! I like beingin control of my valuableusers and their attributes!
How do I trust the relyingparties that approach me? Howcan I better authn my users?...
Great! I can simplifymy user management
and authn architecture!
How valuable a service can Ioffer based on authn qualityand transaction security?...
Great! I can authnonly once (single sign-on)and still get to use multiple
web sites!Am I being phished? Should I
allow my attributes to be sent toand stored at these websites?...
3
SAML in a verbal nutshell• XML-based framework standardized at OASIS for:
> Marshaling security and identity information> Exchanging it across domain boundaries
• Out-of-the-box profiles for:> Single sign-on, single logout, privacy-preserving account
linking, simple arbitrary attribute exchange...• At SAML's core: assertions about subjects
> Authentication, attributes, entitlements> SAML assertions are reused in many other specs
• SAML V2.0 + business guidelines + interop certification testing = “Liberty Federation”
4
SAML in a pictorial nutshell
Assertions of authn, attribute,and entitlement information
Authenticationstatement
Attributestatement
Authz decisionstatement
Bindings onto standardcommunications protocols
SOAP overHTTP PAOS HTTP
redirectHTTPPOST
HTTPartifact
SAMLURI
Custom
Custom
Protocols to getassertions anddo identity mgmt
Assertionrequest
Authenticationrequest Custom
Attributeprofiles
for interpretingattrib semantics
Name IDmanagement
Singlelogout
Profiles combining binding,assertion, and protocol useto support defined use cases
Web browserSSO
Operational modes foruse in conformancetesting and RFPs
IdP
Enhancedclient SSO
IdPdiscovery
Singlelogout ... Custom
IdPLite SP SP
LiteEnhanced
client ...
...
Metadata todescribe provider
abilities and needs
Authenticationcontext classes
to describe types ofauthentication
performed/desired
5
SAML, Shibboleth, and Liberty Federation Framework convergence timeline
2002
SAML1
Liberty“Phase 1”
2003
SAML1.1
LibertyID-FF 1.1,1.2
2005
SAML2
LibertyFederation
2004
=
Shibboleth1.2
Shibboleth1.0,1.1
Liberty basesnew federation
standard onemerging SAML
standard
Liberty tracksSAML evolution;
Internet2Shibbolethbases its
solutions onSAML also
Liberty contributesID-FF to OASIS
for SAML2convergence;
Shibboleth alsotakes part
Liberty endorsesSAML2 as its
identity federationsolution and
provides interopand conformancetesting; Shibbolethis working on new
SAML2-basedAPIsX→y = design of X feeds
into Y (with direct dependencies except in the
SAML2 case)
6
Liberty Alliance in a verbalnutshell
• A community of ~150 businesses, organizations, government agencies – and now individuals> With a long list of .org relationships...
• Its mission since 2001:> Foster a ubiquitous, interoperable, privacy-respecting
federated identity layer for web applications and services• Deliverables are the result of three work streams:
> Gathering requirements from deployers and users> Gathing privacy policy and global regulatory requirements> Developing open technology standards (and testing
software for interop)• Tackles business and technical requirements for “trust”
7
Liberty in a pictorial nutshell
Identityprovider(login site)
Relying party(web applicationor community)
User
Browser(or other interface)
ID-WSF: Identity Web Services Framework> Focused on application-to-application interaction> Permission-based attribute sharing and user-absent scenarios
ID-FF: Identity Federation Framework> Focused on human-to-application interaction> Now converged with SAML2
ID-SIS: Identity Service Interface Specifications> Focused on ID-based services> Personal profile, geolocation...> Uses WSP/WSC terminology> Liberty Web Services = ID-WSF + ID-SIS
Advanced Client> Client as extension of the IdP> Strong local authn, and local-hosted services> More features coming soon
ID-SAFE: Identity Strong Auth Framework> Interoperable strong auth> In the requirements phase
openLiberty.org: open source for web service consumers> Eventually other projects too
8
The Liberty People Service• A “groups and roles” service that is agnostic as to
where all the identities are managed> You can base ACLs and other behavior on them> Versus today's popular web apps, which restrict the
means of building ACLs• You are effectively creating person-to-person
federations between you and others• Useful for social and business scenarios:
> Soccer team calendar control, business networking, access-controlled collaborative spec editing, project-specific confidential material access...
9
Some FOSS for SAML and Liberty• openLiberty.org (http://www.openliberty.org)
> The new home for Liberty-related OSS• OpenSAML (http://www.opensaml.org) - Apache license
> Java/C++ libraries giving low-level access to SAML 1.x functionality• Shibboleth (https://spaces.internet2.edu/display/SHIB/WebHome) - Apache license
> SAML 1.x IdP, SP functionality> Plugs in to Apache httpd, IIS, Sun/iPlanet
• OpenSSO (http://opensso.dev.java.net) - CDDL license based on Mozilla Public License 1.1> Java-based ID-FF, SAML and ID-WSF support, “Project Lightbulb” adds PHP and Ruby> (OpenID support now available too)
• Lasso (http://lasso.entrouvert.org/) - GPL or commercial license> C libraries offering Liberty ID-FF 1.2, ID-WSF 1.x low-level support> SWIGified bindings for Python, Perl, Java and PHP
• ZXID (http://www.zxid.org)> C, Perl (SWIGified) libraries with ID-FF 1.2, SAML 2, ID-WSF 1.x, 2 low-level support> C executable CGI, Perl and PHP scripts for acting as an SP
• “Conor’s Stuff” (http://www.cahillfamily.com/OpenSource/) - BSD license> C libraries for ID-WSF 1.x, 2.0 WSC, Java WSP libraries
Thanks to John Kemp for doing most of the data
compilation!
10
The Concordia Program• Umbrella initiative to drive harmonization
and interop of multiple identity protocols• Based on open discussions/events to develop use
cases exploring the “seams” where heterogeneous protocols meet (or don't) in deployment
• Could result in additional specs, profiles, or services being developed at Liberty or elsewhere
• Anticipates expansion of the Liberty Interoperable program
• See the wiki for use cases and to get involved• Let's hold an IIW session on use cases...
11
The Venn of identity: SAML and Libertywith a bit of context (remember Saki)
Phishing-resistant authentication and attributesharing though client; “card”
paradigm; requires WS-Trust; can front-end
various SSO systemsCardSpace
OpenIDDistributed
authenticationand simple attribute
sharing aroundURI-based IDs;
low-trust scenarios;explicitly no need for preconfigured
trust
Solutions forconsistent user
experience
SAML tokensin XML msgs;
enterprise security &privacy; smart clients
SAML, LibertyWeb ServicesSSO, single logout;permission-basedattrib sharing; user-absent use cases; optimized for“circles of trust”;interop certprogram
Supportsuser control/
empowermentmodels
Can doauthn against
URI-based IDs;authn-method
agnostic
Thanks to Paul Madsen for the initial content and Johannes Ernst
for the “three standards” paradigm!
12
References• SAML at OASIS: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security• SAML2 Basics slides:
http://www.oasis-open.org/committees/download.php/20520/SAMLV2.0-basics-Oct2006.pdf• Liberty Alliance: http://www.projectliberty.org/• ID-FF interoperability matrices:
http://www.projectliberty.org/liberty/liberty_interoperable/interoperable_products• ID-WSF Basics slides:
http://www.projectliberty.org/liberty/content/download/2661/17923/file/idwsf-basics-22jan2007-Eve Maler.pdf• ID-SIS specifications:
http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_sis_1_0_specifications• Advanced Client specs overview:
http://www.projectliberty.org/liberty/content/download/2658/17911/file/AdvancedClient-20070122-Conor Cahill.pdf• ID-SAFE FAQ: http://www.projectliberty.org/liberty/resource_center/faq/strong_authentication__1• Concordia wiki: http://wiki.projectliberty.org/index.php/Concordia
